Keep getting infected with virus even after formatting pc

Rain4017 · 20 Mar 2012

Hello. I am having a pretty serious issue with a virus that keeps re-infecting my pc even after I format and reinstall Windows. I will try to provide as much detail as possible about my situation.

I have been dealing with this repeated infection for quite some time now and have tried a few different options for getting rid of it. When the infection occurs, a ton of Internet Explorer windows start to pop up on my desktop. I also get a message that says "C:\Program Files\Internet Explorer\IEXPLORE.EXE No such interface supported." All of the IE windows link to different websites, some in different languages but they are all spam-type websites. We use ESET NOD32 anti-virus here and this does prevent connection to some of these websites but it never seems to detect the virus before it infects my pc. I also have programs force close on me, my pc reboots by itself, and malicious executables appear in my startup folder (which I assume is causing all the IE windows to pop up).

Like I mentioned, ESET never seems to catch an infection beforehand. I have tried using Malwarebytes free trial and that actually does catch an infection before it does anything. However, Malwarebytes itself eventually becomes infected so it doesn't help after that. Malwarebytes usually identifes the virus as "backdoor.bot" and "trojan.banker."

Since I could not clean this infection the first time around, I then tried formatting my hard drive and reloading Windows 7. However, shortly after joining our network domain I became infected again. This has happened countless times since then (reformat, reinstall, join domain, infection). I am not sure how this infection is occuring because we have other pc's on our domain that do not experience the problems I am having.

If anyone can provide advice or guidance on how to resolve this I would most certainly appreciate it!

Jacee · 20 Mar 2012

trojan.banker:

Trojan Banker is a Trojan which is associated with the Banload and Downloader.Banload Trojan. This harmful Trojan gains entry to its victims’ PCs through websites which employ drive-by download tactics and through bundled third party security downloads and updates. This Trojan was designed to monitor its victims’ PC activities, and report it back to its developers.
A large threat associated with Trojan Banker is its ability to steal its victims’ usernames, passwords and financial and sensitive information. What is more, this seditious Trojan opens various security holes in the system which paves the way for other malicious malware to gain easy entry into the system.

First, I would suggest that you change ALL passwords using a 'known clean' computer. Not the infected one.

If you have anything that you've saved on a flash/thumbdrive, that may be the source of infection.

Flush a bad DNS cache and restore MS's Hosts file:

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

Rain4017 · 20 Mar 2012

Thanks Jacee. I do not have any external storage devices connected to the pc so I think I am okay there. I have used the text you provided to flush my DNS. I have included the contents of both DDS logs here.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/19/2012 2:21:35 PM
System Uptime: 3/20/2012 2:04:09 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0M5DCD
Processor: Intel(R) Core(TM) i3-2100 CPU @ 3.10GHz | CPU 1 | 3100/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 452.369 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 3/19/2012 2:25:20 PM - Installed Realtek Ethernet Controller All-In-One Windows Driver
RP4: 3/19/2012 2:28:20 PM - Windows Update
RP5: 3/19/2012 2:49:16 PM - Windows Update
RP6: 3/20/2012 1:34:16 PM - Installed Episys Quest 3.2011.1.103
.
==== Installed Programs ======================
.
Episys Quest 3.2011.1.103
ESET NOD32 Antivirus
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Malwarebytes Anti-Malware version 1.60.0.1800
NetWrix Endpoint Management Agent
Realtek Ethernet Controller All-In-One Windows Driver
.
==== End Of File ===========================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by timdavidson at 14:07:10 on 2012-03-20
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.2129 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NetWrix\Endpoint Management Agent\nwxdma.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\NetWrix\Endpoint Management Agent\emsagent.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Intel\11\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\windows\debug\sysavpro.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\intel\11\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\aeclie~1.lnk - c:\program files\hyland\application enabler\AEClient.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
TCP: Interfaces\{2C462C55-8B3F-4BB1-80C2-6C4609E1C5B6} : NameServer = 192.168.248.8,192.168.248.15
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 EndpointManagementAgent;NetWrix Endpoint Management Agent;c:\program files\netwrix\endpoint management agent\nwxdma.exe [2011-4-15 22528]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2012-3-19 2656280]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2012-3-19 269824]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2012-3-19 41088]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-3-19 328808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-20 20464]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-20 40776]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-19 1343400]
S4 MBAMService;MBAMService;c:\intel\11\mbamservice.exe [2012-3-20 652872]
.
=============== Created Last 30 ================
.
2012-03-20 18:06:24 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{75088bda-6b2d-4c47-a559-cb1c0ee42ccc}\offreg.dll
2012-03-20 17:48:59 7855 ---h-tw- c:\windows\980884S5.bat
2012-03-20 17:48:59 7855 ---h-tw- c:\windows\6284TQDY.bat
2012-03-20 17:48:59 7855 ---h-tw- c:\windows\25809GYB.bat
2012-03-20 17:34:41 -------- d-----w- c:\users\timdavidson\appdata\local\Jack Henry and Associates
2012-03-20 17:34:28 -------- d-----w- c:\program files\Jack Henry & Associates
2012-03-20 17:34:27 -------- d-----w- c:\programdata\Jack Henry and Associates
2012-03-20 15:08:45 7855 ---h-tw- c:\windows\8276PJ2F.bat
2012-03-20 15:08:45 7855 ---h-tw- c:\windows\11888AT8.bat
2012-03-20 15:08:36 7855 ---h-tw- c:\windows\4496L0O7.bat
2012-03-20 15:08:36 7855 ---h-tw- c:\windows\101444W9.bat
2012-03-20 15:08:30 7855 ---h-tw- c:\windows\34769UDQ.bat
2012-03-20 15:08:29 7855 ---h-tw- c:\windows\2868BGOI.bat
2012-03-20 13:55:37 57344 ----a-w- c:\windows\system32\taskmgr.exe
2012-03-20 13:19:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-20 13:00:26 -------- d-----w- c:\users\timdavidson\appdata\roaming\Malwarebytes
2012-03-20 13:00:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 12:47:48 -------- d-----w- c:\programdata\Malwarebytes
2012-03-19 21:16:50 -------- d-----w- c:\windows\Panther
2012-03-19 18:59:37 -------- d-----w- c:\program files\ESET
2012-03-19 18:56:25 -------- d-----w- c:\windows\system32\Wat
2012-03-19 18:49:34 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 18:49:33 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 18:41:35 -------- d-----w- C:\import
2012-03-19 18:41:33 -------- d-----w- c:\programdata\GroupPolicy
2012-03-19 18:41:14 -------- d-----w- c:\program files\NetWrix
2012-03-19 18:41:10 -------- d-----w- c:\windows\NetWrix
2012-03-19 18:41:07 -------- d-sh--w- c:\windows\Installer
2012-03-19 18:41:07 -------- d-----w- c:\windows\system32\appmgmt
2012-03-19 18:31:11 -------- d-----w- c:\program files\common files\Intel
2012-03-19 18:28:29 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{75088bda-6b2d-4c47-a559-cb1c0ee42ccc}\mpengine.dll
2012-03-19 18:28:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-19 18:25:30 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2012-03-19 18:25:30 328808 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2012-03-19 18:25:30 100896 ----a-w- c:\windows\system32\RTNUninst32.dll
2012-03-19 18:25:27 -------- d-----w- c:\program files\Realtek
2012-03-19 18:24:58 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2012-03-19 18:24:55 -------- d-----w- c:\program files\common files\postureAgent
2012-03-19 18:24:49 41088 ----a-w- c:\windows\system32\drivers\HECI.sys
2012-03-19 18:24:12 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-03-19 18:24:08 -------- d-----w- C:\Intel
2012-03-19 18:24:06 -------- d-----w- C:\dell
2012-03-19 18:21:33 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll
.
============= FINISH: 14:07:36.72 ===============

wanchoo · 21 Mar 2012

This is a bizarre situation. I would first delete the partition(s) and create free space on the Hard Disk. Then I would recreate the partition(s) and format them. Then I would install windows 7 once again. I would then install a different A-V Program say Avast Free or MSE and Malwarebytes Anti-Malware free and Comodo Free Firewall. Then I shall surf the Net to check if the problem reappears.

Jacee · 21 Mar 2012

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe

Rain4017 · 21 Mar 2012

Hello. I followed your instructions and here is the combofix log. I should note that combofix did reboot my pc and upon reboot a ton of internet explorer windows opened so I believe I'm still infected. The log seems to indicate that but just wanted to let you know. Thank you for the continued assistance!

ComboFix 12-03-21.02 - timdavidson 03/21/2012 13:51:03.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.2309 [GMT -4:00]
Running from: c:\users\timdavidson\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\taskmgr.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!System32!taskmgr.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-21 to 2012-03-21 )))))))))))))))))))))))))))))))
.
.
2012-03-21 17:55 . 2012-03-21 17:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-21 14:05 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2012-03-21 14:05 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-03-21 14:05 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-03-21 14:05 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-21 14:03 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
2012-03-21 14:03 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
2012-03-21 14:03 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-03-21 14:03 . 2011-08-13 04:18 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-03-21 14:03 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-03-21 14:03 . 2010-12-17 07:07 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-03-21 14:03 . 2011-07-09 02:30 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-03-21 14:03 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2012-03-21 14:03 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-21 14:03 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2012-03-21 14:03 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2012-03-21 14:03 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2012-03-21 14:03 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-03-21 14:01 . 2011-07-16 04:15 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-03-20 17:34 . 2012-03-21 16:01 -------- d-----w- c:\program files\Jack Henry & Associates
2012-03-20 17:34 . 2012-03-20 17:34 -------- d-----w- c:\programdata\Jack Henry and Associates
2012-03-20 16:08 . 2012-03-21 14:48 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75088BDA-6B2D-4C47-A559-CB1C0EE42CCC}\offreg.dll
2012-03-20 15:56 . 2012-02-15 14:03 788992 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\avrepair.exe
2012-03-20 15:08 . 2012-03-21 17:57 -------- d-----w- c:\users\TEMP.UECU
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\8276PJ2F.bat
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\11888AT8.bat
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\4496L0O7.bat
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\101444W9.bat
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\34769UDQ.bat
2012-03-20 15:08 . 2012-03-20 15:08 7855 ---h-tw- c:\windows\2868BGOI.bat
2012-03-20 13:55 . 2010-11-20 21:29 227328 ----a-w- c:\windows\system32\taskmgr.exe
2012-03-20 13:19 . 2012-03-20 13:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-20 12:47 . 2012-03-20 12:47 -------- d-----w- c:\programdata\Malwarebytes
2012-03-19 21:16 . 2012-03-19 18:21 -------- d-----w- c:\windows\Panther
2012-03-19 19:52 . 2012-03-21 13:58 -------- d-----w- c:\users\timdavidson
2012-03-19 18:59 . 2012-03-19 18:59 -------- d-----w- c:\program files\ESET
2012-03-19 18:56 . 2012-03-19 18:56 -------- d-----w- c:\windows\system32\Wat
2012-03-19 18:49 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 18:49 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 18:41 . 2012-03-19 18:41 -------- d-----w- C:\import
2012-03-19 18:41 . 2012-03-19 18:41 -------- d-----w- c:\programdata\GroupPolicy
2012-03-19 18:41 . 2012-03-21 17:57 -------- d-----w- c:\users\opsadmin
2012-03-19 18:41 . 2012-03-19 18:41 -------- d-----w- c:\program files\NetWrix
2012-03-19 18:41 . 2012-03-19 18:41 -------- d-----w- c:\windows\NetWrix
2012-03-19 18:41 . 2012-03-21 16:01 -------- d-sh--w- c:\windows\Installer
2012-03-19 18:31 . 2012-03-19 18:31 -------- d-----w- c:\program files\Common Files\Intel
2012-03-19 18:28 . 2012-03-01 18:34 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75088BDA-6B2D-4C47-A559-CB1C0EE42CCC}\mpengine.dll
2012-03-19 18:28 . 2012-02-23 13:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-19 18:25 . 2011-01-13 23:58 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2012-03-19 18:25 . 2011-01-13 23:58 328808 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2012-03-19 18:25 . 2011-01-13 23:58 100896 ----a-w- c:\windows\system32\RTNUninst32.dll
2012-03-19 18:25 . 2012-03-19 18:25 -------- d-----w- c:\program files\Realtek
2012-03-19 18:25 . 2012-03-19 18:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2012-03-19 18:24 . 2010-12-03 18:57 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2012-03-19 18:24 . 2012-03-19 18:24 -------- d-----w- c:\program files\Common Files\postureAgent
2012-03-19 18:24 . 2010-10-19 20:33 41088 ----a-w- c:\windows\system32\drivers\HECI.sys
2012-03-19 18:24 . 2012-03-19 18:31 -------- d-----w- c:\program files\Intel
2012-03-19 18:24 . 2010-12-16 12:10 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-03-19 18:24 . 2012-03-21 17:49 -------- d-----w- C:\Intel
2012-03-19 18:24 . 2012-03-19 18:24 -------- d-----w- C:\dell
2012-03-19 18:21 . 2012-03-21 17:57 -------- d-----w- c:\users\admin
2012-03-19 18:21 . 2012-03-19 18:21 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-01 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-01 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-01 178200]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AE Client.lnk - c:\program files\Hyland\Application Enabler\AEClient.exe [N/A]
avrepair.exe [2012-2-15 788992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\0]
"Script"=login.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3973\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3973\Scripts\Logon\0\0]
"Script"=login.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3973\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs
.
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-03-20 40776]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-01-13 328808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-19 1343400]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144]
S2 EndpointManagementAgent;NetWrix Endpoint Management Agent;c:\program files\NetWrix\Endpoint Management Agent\nwxdma.exe [2011-04-16 22528]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-12-21 95384]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
TCP: Interfaces\{2C462C55-8B3F-4BB1-80C2-6C4609E1C5B6}: NameServer = 192.168.248.8,192.168.248.15
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NetWrix\Endpoint Management Agent\emsagent.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\avrepair.exe
c:\windows\system32\conhost.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2012-03-21 13:59:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-21 17:59
.
Pre-Run: 484,094,738,432 bytes free
Post-Run: 483,800,080,384 bytes free
.
- - End Of File - - 567A25EDD0080A59B33E66E0C7EFDF41

Jacee · 21 Mar 2012

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Jacee · 21 Mar 2012

All of my instructions are for Rain4017. Anyone else that may have a problem, please do not proceed with these downloads! They are only for my own information to help this user.

Rain4017 · 26 Mar 2012

Hello Jacee. Sorry for the lack of updates but I ultimately had to format my pc again. While I was running aswMBR my pc blue screened and then would not boot back into Windows. After trying a few recovery options I didn't see any other choice other than to format and reload Windows. So far so good and I have my IT coworkers helping me out a bit with my issues. Thanks for all your help, I do appreciate the time and effort!

Jacee · 26 Mar 2012

Thanks for reporting back. :)